Share this post

Link to post

Share on other sites

There is currently no known way to decrypt files that have been encrypted by GlobeImposer 2. You can try ShadowExplorer and see if the ransomware failed to delete Volume Shadow Copies. If they were deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low to begin with. This is a rather advanced method of recovery, so it may be necessary to find a local computer technician who can assist you.

It's important to keep in mind that different ransomwares are different, however here are some common ways this sort of infection spreads:

Through e-mail. It's very common to receive e-mails that have malicious attachments, and with certain ransomwares (especially Locky) they like to send an e-mail pretending to be information (such as an invoice) from a shipping company or something similar. In the case of Locky the malicious file is inside a ZIP archive, so you don't know what it is before you download it and extract it.

Online advertisements. It is not abnormal for people with malicious intent to abuse advertisements on legitimate websites in order to spread infections. One of the worst cases of this happened several years ago where a ransomware (I would believe CryptoWall) was being spread through advertisements on several of Yahoo!'s websites in advertisements. The criminal behind CryptoWall had paid to put advertisements on Yahoo!'s websites, and the advertising company that Yahoo! uses didn't notice that the advertisements contained malicious code that I would believe was from an exploit kit (exploit kits allow automated installation of infections when people visit a webpage where the exploit kit is present).

Direct hacking. While I often hesitate to use the word "hack" here, it is how most people would understand it. What happens is that scripts being run by criminals scan the Internet looking for computers with certain open ports in firewalls that allow them access to vulnerable services. When the script finds computers with vulnerable ports, the information is logged, and an actual person will select computers from the list of potentially vulnerable systems that were found and begin trying to gain access to them. A particular favorite, since it usually means they found a business they can extort for money, is Microsoft's Remote Desktop (RDP), which if they find an open port for they will try to brute force the password for administrator accounts and see if they can get in. If they manage to get in, they will then manually disable any security software and manually execute their ransomware on the victim's computer.

Obviously there are other ways you can run in to ransomware as well. Downloading files from unsafe websites and/or file sharing networks for instance.

As for online advertisements, we usually recommend uBlock Origin to block those. You can get uBlock Origin for Mozilla Firefox and Microsoft Edge. For Google Chrome and Vivaldi I recommend both uBlock Origin and uBlock Origin Extra to help avoid advertisements that would otherwise circumvent uBlock Origin's protection.